Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Jamshaid
New Contributor II

Created on ‎11-01-2023 04:00 AM

FortiNAC not putting user into isolation if no User Profile match ? Does it ?

Hi Guys.

 

I am wondering if a host is registered via device profiling but not maching any user policy than why it is still getting an IP from any other vlan than isolation ?

 

Also if no nap is matched does fortinac should put this user into either remediation or isolation ? 

 

As my user still has production vlan IP instead of going into isolation on a user profile match failure or even any criteria failure

 

example if a user doesnt have persistent agent he should be not getting an ip from production 

 

does my queries sound right or I am not understanding how the product works in such use cases?

 

@FortiKoala @ebilcari 

Labels:
1112
0 Kudos
3 REPLIES 3
ebilcari
Staff
Staff

Created on ‎11-01-2023 05:37 AM

If a registered host will not match a network policy than it will be put in the default VLAN that is configured on that port. FNAC will not put this host in isolation since it is considered in a normal state.

To block access for these hosts (not hitting any NAP) you can change the default VLAN to some blackhole VLAN of the switch or create a Network Access Policy to catch all these hosts and create a logical network to move these hosts to the same blackhole VLAN or on one of the isolation VLANs.

model config.PNG

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
1094
Jamshaid
New Contributor II
In response to ebilcari

Created on ‎11-01-2023 05:58 AM

So if you want to perform a strict NAC, you can put your default vlan as your isolation ? it is recommended or a good practice ?

1089
0 Kudos
ebilcari
Staff
Staff
In response to Jamshaid

Created on ‎11-01-2023 06:23 AM Edited on ‎11-01-2023 06:28 AM

Yes, based on my experience, depending on your environment you can use the following as default VLAN to spare the initial VLAN change when the host is connected in the network for the first time:

- Registration, when you have frequent turn over of new devices presented in the network

- Remediation, when existing hosts change their compliance frequently

- Dead End or a black hole VLAN if you want full isolation of the hosts

 

To do this with a single change at device level follow the steps as shown below:

2023-11-01 14_17_12-Window.png

 

Also enable "Reset Forced Default" on group membership for all the ports.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
1081
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.